MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3f44fd37502cd4b16bca3c3fb1e88a687bd2980926017b0ff1752dc601d4c1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 9


Intelligence 9 IOCs YARA 33 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3f44fd37502cd4b16bca3c3fb1e88a687bd2980926017b0ff1752dc601d4c1e
SHA3-384 hash: b52f7c55d9a86cb50b7a917b83430a667a59ecb2f6371501a40d25f2247f9035e30bbc8ed9057575aab818f8643debc0
SHA1 hash: 3bac11e7cedb4b5126ebba373106e0a07408d1d5
MD5 hash: 2f0125ebef13328bfd11bcd6f3a0617a
humanhash: jig-alabama-single-floor
File name:smartapesg-stradomi.com-step5-zip
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'379'749 bytes
First seen:2025-08-27 17:10:48 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 49152:incw70jsEgn3RYrp7rTd7Vdsyhrj3D/ebPMsUFlykEXLLxCh:BFg3RSzdPsyhrv2b0sUrkH6
TLSH T162B533E6130D96BBC1133F72920D2B82465F3E94C93247778373945DB4BEE4A1A91A2F
Magika zip
Reporter monitorsg
Tags:194-37-97-139 cdn-westford-computing6-net client32 ini LIC NetSupport SmartApeSG westford-systems-icu zip


Avatar
monitorsg
hXXps://ahmm[.]ca/d.js (injected) --> hXXps://shark-watewer[.]com/ajax/pixi.min.js --> hXXps://stradomi[.]com/res/oncebelieve (MSI) --> hXXps://stradomi[.]com/solve.pdb --> hXXps://stradomi[.]com/assets/img/fe99357658356062.txt --> 194[.]37.97.139:443 (NetSupport, XMLCTL, NSM303008)

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
US US
File Archive Information

This file archive contains 15 file(s), sorted by their relevance:

File name:nskbfltr.inf
File size:328 bytes
SHA256 hash: d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
MD5 hash: 26e28c01461f7e65c402bdf09923d435
MIME type:application/x-setupscript
Signature NetSupport
File name:ntcache.exe
File size:120'288 bytes
SHA256 hash: 31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c
MD5 hash: 64f1310f6300870f1c81792733e92e5e
MIME type:application/x-dosexec
Signature NetSupport
File name:HTCTL32.DLL
File size:328'056 bytes
SHA256 hash: 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
MD5 hash: c94005d2dcd2a54e40510344e0bb9435
MIME type:application/x-dosexec
Signature NetSupport
File name:TCCTL32.DLL
File size:396'664 bytes
SHA256 hash: 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e
MD5 hash: 2c88d947a5794cf995d2f465f1cb9d10
MIME type:application/x-dosexec
Signature NetSupport
File name:atmfd.dll
File size:376'072 bytes
SHA256 hash: f53237f6fb79810d85e14a5da7ee683c42928cbd8b4bd1ebd4b8204ed2fe220c
MD5 hash: 2b75e4a56f5ecfeddef0328575f15f40
MIME type:application/x-dosexec
Signature NetSupport
File name:NSM.ini
File size:6'458 bytes
SHA256 hash: 60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92
MD5 hash: 88b1dab8f4fd1ae879685995c90bd902
MIME type:application/x-wine-extension-ini
Signature NetSupport
File name:client32.ini
File size:700 bytes
SHA256 hash: 847bec19f04f7950040151fec0712d7fdf579dac69c3e7b0a0dd0dd6992cc64d
MD5 hash: 62a3ae43ca8cc202031dd911214d0410
MIME type:text/plain
Signature NetSupport
File name:PCICHEK.DLL
File size:18'808 bytes
SHA256 hash: 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
MD5 hash: 104b30fef04433a2d2fd1d5f99f179fe
MIME type:application/x-dosexec
Signature NetSupport
File name:msvcr100.dll
File size:773'968 bytes
SHA256 hash: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
MD5 hash: 0e37fbfa79d349d672456923ec5fbbe3
MIME type:application/x-dosexec
Signature NetSupport
File name:client32u.ini
File size:636 bytes
SHA256 hash: 1476f99bacb52ae1a5b525935a785243a2b9e921a26163369bc4b0facc5c126b
MD5 hash: c476bccc842a4ad4d6bb0cafe81719e8
MIME type:text/plain
Signature NetSupport
File name:pcicapi.dll
File size:33'144 bytes
SHA256 hash: 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
MD5 hash: 34dfb87e4200d852d1fb45dc48f93cfc
MIME type:application/x-dosexec
Signature NetSupport
File name:PCICL32.DLL
File size:3'740'024 bytes
SHA256 hash: 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
MD5 hash: d3d39180e85700f72aaae25e40c125ff
MIME type:application/x-dosexec
Signature NetSupport
File name:NSM.LIC
File size:195 bytes
SHA256 hash: dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747
MD5 hash: e9609072de9c29dc1963be208948ba44
MIME type:text/plain
Signature NetSupport
File name:nsm_vpro.ini
File size:46 bytes
SHA256 hash: 4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b
MD5 hash: 3be27483fdcdbf9ebae93234785235e3
MIME type:text/plain
Signature NetSupport
File name:remcmdstub.exe
File size:63'864 bytes
SHA256 hash: fedd609a16c717db9bea3072bed41e79b564c4bc97f959208bfa52fb3c9fa814
MD5 hash: 6fca49b85aa38ee016e39e14b9f9d6d9
MIME type:application/x-dosexec
Signature NetSupport
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.837.11923.27396.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.RMS.227.27668.8844.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.RA.587.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.8291.20066.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.BorlandDelphiKo-1
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.4931.20486.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.6774.30868.UNOFFICIAL
Create hunting rule

PUA.Win.Tool.NetSupport-10022498-8
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.3564.9146.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.19536.7356.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6873a5f6c9eb97473768aca9
Tags:
drivertoolkit lien
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expired-cert microsoft_visual_cc overlay packed signed threat
Link:
https://www.filescan.io/uploads/68af3c221c81c34281d58c38/reports/31d60ff4-0e40-4ab4-9f30-ab9c50a12d38/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f3f44fd37502cd4b16bca3c3fb1e88a687bd2980926017b0ff1752dc601d4c1e
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f3f44fd37502cd4b16bca3c3fb1e88a687bd2980926017b0ff1752dc601d4c1e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
zip
Link:
https://opentip.kaspersky.com/f3f44fd37502cd4b16bca3c3fb1e88a687bd2980926017b0ff1752dc601d4c1e/results?tab=lookup
Score:
85%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/f3f44fd37502cd4b16bca3c3fb1e88a687bd2980926017b0ff1752dc601d4c1e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3f44fd37502cd4b16bca3c3fb1e88a687bd2980926017b0ff1752dc601d4c1e/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-08-27 17:11:38 UTC
File Type:
Binary (Archive)
Extracted files:
456
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery rat
Link:
https://tria.ge/reports/250827-wnhdpsdm9z/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3f44fd37502cd4b16bca3c3fb1e88a687bd2980926017b0ff1752dc601d4c1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NetSupportRAT_Config
Create hunting rule
Author:abuse.ch
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

zip f3f44fd37502cd4b16bca3c3fb1e88a687bd2980926017b0ff1752dc601d4c1e

(this sample)

  
Link
https://infosec.exchange/@monitorsg/115101836604754160
  
Delivery method
Distributed via web download

Comments